b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nSpecial Report\n\n\n\n       Fiscal Year 2009\n       Federal Information Security\n       Management Act Report\n\n       Status of EPA\xe2\x80\x99s Computer Security Program\n\n\n       Report No. 10-P-0030\n\n       November 18, 2009\n\x0c                     UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                  WASHINGTON, D.C. 20460\n\n\n                                                                                    OFFICE OF\n                                                                               INSPECTOR GENERAL\n                                        November 18, 2009\n\nMEMORANDUM\n\nSUBJECT:              Fiscal Year 2009 Federal Information Security\n                      Management Act Report: Status of EPA\xe2\x80\x99s Computer\n                      Security Program\n                      Report No. 10-P-0030\n\n\nFROM:                 Bill A. Roderick\n                      Deputy Inspector General\n\nTO:                   Lisa P. Jackson\n                      Administrator\n\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) Fiscal Year 2009 Federal Information\nSecurity Management Act (FISMA) Reporting Template, as prescribed by the Office of\nManagement and Budget (OMB). Williams, Adley and Company, LLP, performed this review\nunder the direction of the U.S. Environmental Protection Agency\xe2\x80\x99s OIG and performed the\nreview in accordance with generally accepted government auditing standards. These standards\nrequire them to plan and perform the review to obtain sufficient and appropriate evidence to\nprovide a reasonable basis for their findings and conclusions based on the objectives of the\nreview.\n\nWilliams, Adley, and Company, LLP, limited their testing to those managerial controls necessary\nto achieve the objectives described in OMB Memorandum M-09-29, FY 2009 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement, August 20, 2009. Williams, Adley, and Company, LLP, did not test all managerial\ncontrols relevant to the effectiveness of the Agency\xe2\x80\x99s information security program as broadly\ndefined by FISMA.\n\nWe believe the evidence obtained provides a reasonable basis for our findings and conclusions,\nand in all material respects meets the FISMA reporting requirements prescribed by OMB. In\naccordance with OMB reporting instructions, I am forwarding this report to you for submission,\nalong with the Agency\xe2\x80\x99s required information, to the Director, OMB.\n\nFurthermore, OIG audit work performed during Fiscal Year 2009 did not disclose material\nweaknesses with respect to the Agency\xe2\x80\x99s information security program that should be disclosed\n\x0cpursuant to the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982. However, OIG audits noted \n\nsignificant weaknesses with several aspects of EPA\xe2\x80\x99s information security program. \n\nAppendix A synopsizes the results of our significant Fiscal Year 2009 information security \n\naudits. \n\n\nThe estimated cost for performing this audit, which includes contract costs and OIG contract \n\nmanagement oversight, is $164,271. \n\n\x0cInspector General                    2009\nSection Report                     AAnnnnu\n                                         uaal\n                                            l FFIS\n                                                 I SMM\n                                                     AA\n                                         Report\n\n\n\n\n       Environmental Protection Agency\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n1. Identify the number of Agency and contractor systems by component and FIPS 199 impact level (low, moderate, high) reviewed.\n\n\n\n2. For the Total Number of Reviewed Systems Identified by Component/Bureau and FIPS System Impact Level in the table for\nQuestion 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls\ntested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                       c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems         Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security            for which\n                                                                                    Contractor systems)         and accredited         controls have been        contingency plans\n                                                                                                                                       tested and reviewed       have been tested in\n                                                                                                                                         in the past year         accordance with\n                                                                                                                                                                       policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nOA                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               0           0           0             0          0              0                        0                         0                         0\n                   Low                    2           1           0             0          2              1                        1                         1                         1\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              2           1           0             0          2              1                        1                         1                         1\nOAR                High                   1           0           0             0          1              0                        0                         0                         0\n                   Moderate               9           1           1             0         10              1                        1                         1                         1\n                   Low                    3           0           1             0          4              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total             13           1           2             0         15              1                        1                         1                         1\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                                           Page 1 of 15\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                       c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems         Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security            for which\n                                                                                    Contractor systems)         and accredited         controls have been        contingency plans\n                                                                                                                                       tested and reviewed       have been tested in\n                                                                                                                                         in the past year         accordance with\n                                                                                                                                                                       policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nOARM               High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               8           3           2             0         10              3                        3                         2                         3\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              8           3           2             0         10              3                        3                         2                         3\nOCFO               High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate              15           2           0             0         15              2                        1                         2                         2\n                   Low                    1           0           0             0          1              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total             16           2           0             0         16              2                        1                         2                         2\nOECA               High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               7           0           0             0          7              0                        0                         0                         0\n                   Low                    2           1           0             0          2              1                        1                         1                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              9           1           0             0          9              1                        1                         1                         0\nOEI                High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate              17           1           4             2         21              3                        3                         3                         3\n                   Low                   11           2           3             0         14              2                        1                         1                         1\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total             28           3           7             2         35              5                        4                         4                         4\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                                           Page 2 of 15\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                       c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems         Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security            for which\n                                                                                    Contractor systems)         and accredited         controls have been        contingency plans\n                                                                                                                                       tested and reviewed       have been tested in\n                                                                                                                                         in the past year         accordance with\n                                                                                                                                                                       policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nOGC                High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               0           0           0             0          0              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              0           0           0             0          0              0                        0                         0                         0\nOIA                High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               0           0           0             0          0              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              0           0           0             0          0              0                        0                         0                         0\nOIG                High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               7           0           0             0          7              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              7           0           0             0          7              0                        0                         0                         0\nOPPTS              High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               4           0           1             0          5              0                        0                         0                         0\n                   Low                    1           0           0             0          1              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              5           0           1             0          6              0                        0                         0                         0\n\n\n\n\n 2009 Annual FISMA Report - Environmental Protection Agency                                                                                                          Page 3 of 15\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                       c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems         Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security            for which\n                                                                                    Contractor systems)         and accredited         controls have been        contingency plans\n                                                                                                                                       tested and reviewed       have been tested in\n                                                                                                                                         in the past year         accordance with\n                                                                                                                                                                       policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nORD                High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               5           0           0             0          5              0                        0                         0                         0\n                   Low                    9           1           0             0          9              1                        1                         1                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total             14           1           0             0         14              1                        1                         1                         0\nOSWER              High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               3           1           1             0          4              1                        1                         1                         1\n                   Low                    4           0           1             0          5              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              7           1           2             0          9              1                        1                         1                         1\nOW                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               3           1           0             0          3              1                        1                         0                         1\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              3           1           0             0          3              1                        1                         0                         1\nR1                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              1           0           0             0          1              0                        0                         0                         0\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                                            Page 4 of 15\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                       c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems         Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security            for which\n                                                                                    Contractor systems)         and accredited         controls have been        contingency plans\n                                                                                                                                       tested and reviewed       have been tested in\n                                                                                                                                         in the past year         accordance with\n                                                                                                                                                                       policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nR10                High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              1           0           0             0          1              0                        0                         0                         0\nR2                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               2           0           0             0          2              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              2           0           0             0          2              0                        0                         0                         0\nR3                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              1           0           0             0          1              0                        0                         0                         0\nR4                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              1           0           0             0          1              0                        0                         0                         0\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                                             Page 5 of 15\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                       c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems         Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security            for which\n                                                                                    Contractor systems)         and accredited         controls have been        contingency plans\n                                                                                                                                       tested and reviewed       have been tested in\n                                                                                                                                         in the past year         accordance with\n                                                                                                                                                                       policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nR5                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               2           1           0             0          2              1                        1                         1                         1\n                   Low                    1           0           0             0          1              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              3           1           0             0          3              1                        1                         1                         1\nR6                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              1           0           0             0          1              0                        0                         0                         0\nR7                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    0           0           0             0          0              0                        0                         0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              1           0           0             0          1              0                        0                         0                         0\nR8                 High                   0           0           0             0          0              0                        0                         0                         0\n                   Moderate               1           0           0             0          1              0                        0                         0                         0\n                   Low                    1           1           0             0          1              1                        1                         1                         1\n                   Not Categorized        0           0           0             0          0              0                        0                         0                         0\n                   Sub Total              2           1           0             0          2              1                        1                         1                         1\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                                           Page 6 of 15\n\x0c Question 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\n Testing, and Contingency Plan Testing\n\n                                                                Question 1                                                                    Question 2\n\n                                            a.                      b.                          c.                     a.                        b.                        c.\n                                      Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems          Number of systems\n                                                                                     Systems(Agency and         systems certified       for which security             for which\n                                                                                     Contractor systems)         and accredited         controls have been         contingency plans\n                                                                                                                                        tested and reviewed        have been tested in\n                                                                                                                                          in the past year          accordance with\n                                                                                                                                                                         policy\n\n\n Agency/Component   Category            Total     Number      Total       Number        Total         Number\n                                      Number     Reviewed    Number      Reviewed     Number         Reviewed\n R9                 High                   0           0           0             0          0              0                        0                         0                          0\n                    Moderate               1           0           1             1          2              1                        1                         1                          1\n                    Low                    0           0           0             0          0              0                        0                         0                          0\n                    Not Categorized        0           0           0             0          0              0                        0                         0                          0\n                    Sub Total              1           0           1             1          2              1                        1                         1                          1\n Agency Totals      High                   1           0           0             0          1              0                        0                         0                          0\n                    Moderate              90           10         10             3       100               13                     12                          11                         13\n                    Low                   35           6           5             0         40              6                        5                         5                          3\n                    Not Categorized        0           0           0             0          0              0                        0                         0                          0\n                    Total Systems        126           16         15             3       141               19                     17                          16                         16\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                                            Page 7 of 15\n\x0cQuestion 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\nThe Agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the Agency or other\norganization on behalf of the Agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and\nAgency policy.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their Agency or other organization on\nbehalf of their Agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another\nFederal Agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\n3a. Does the Agency have policies for oversight of contractors?\n     Yes\n\n     3a(1). Is the policy implemented?\n             Yes\n                       Comments:     EPA\'s Network Security Policy states that the Agency must monitor contractor\'s compliance with information\n                                     security responsibilities in Agency contracts. The policy is implemented; however, procedures and training\n                                     could be improved for the Certification and Accreditation process.\n\n3b. Does the Agency have a materially correct inventory of major information systems (including national security systems)\noperated by or under the control of such Agency?\n     Yes\n\n3c. Does the Agency maintain an inventory of interfaces between the Agency systems and all other systems, such as those not\noperated by or under the control of the Agency?\n     Yes\n3d. Does the Agency require agreements for interfaces between systems it owns or operates and other systems not operated by\nor under the control of the Agency?\n     Yes\n3e. The Agency inventory is maintained and updated at least annually.\n     Yes\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                              Page 8 of 15\n\x0c3f. The IG generally agrees with the CIO on the number of Agency-owned systems.\n     Yes\n\n3g. The IG generally agrees with the CIO on the number of information systems used or operated by a contractor of the Agency or\nother organization on behalf of the Agency.\n     Yes\n\n\n\n\nQuestion 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the Agency has developed, implemented, and is managing an Agency-wide plan of action and milestones (POA&M)\nprocess, providing explanatory detail in the area provided.\n\n4a. Has the Agency developed and documented an adequate policy that establishes a POA&M process for reporting IT security\ndeficiencies and tracking the status of remediation efforts?\n\n    Yes\n           Comments:       EPA has developed and implemented the following:\n\n                           - Procedure for Information Security Plans of Actions and Milestones\n                             (POA&Ms), dated June 18, 2004\n                           - EPA Certification and Accreditation Process, dated May 11, 2006\n                           - Quarterly and Annual Training to Information Security Officers on\n                             Entering POA&Ms\n                           - Automated Process for Entering POA&Ms in Agency\'s tracking and\n                             reporting database\n\n    4a(1). Has the Agency fully implemented the policy?\n\n             Yes\n4b. Is the Agency currently managing and operating a POA&M process?\n    Yes\n\n\n 2009 Annual FISMA Report - Environmental Protection Agency                                                                       Page 9 of 15\n\x0c4c. Is the Agency\'s POA&M process an Agency-wide process, incorporating all known IT security weakness, including\nIG/external audit findings associated with information systems used or operated by the Agency or by a contractor of the Agency or\nother organization on behalf of the Agency?\n    Yes\n\n4d. Does the POA&M process prioritize IT security weakness to help ensure significant IT security weaknesses are corrected in\na timely manner and receive appropriate resources?\n    Yes\n\n4e. When an IT security weakness is identified, do program officials (including CIOs, if they own or operate a system) develop,\nimplement, and manage POA&Ms for their system(s)?\n     Yes\n\n4f. For Systems Reviewed:\n    4f(1). Are deficiencies tracked and remediated in a timely manner?\n           Yes\n     4f(2). Are the remediation plans effective for correcting the security weakness?\n\n           Yes\n\n     4f(3). Are the estimated dates for remediation reasonable and adhered to?\n           Yes\n4g. Do Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis (at\nleast quarterly)?\n    Yes\n\n4h. Does the Agency CIO centrally track, maintain, and independently review/validate POA&M activities on at least a quarterly\nbasis?\n    Yes\n\n\n\n\n 2009 Annual FISMA Report - Environmental Protection Agency                                                                   Page 10 of 15\n\x0cQuestion 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the Agency\'s certification and accreditation (C&A) process, including adherence to existing policy,\nguidance, and standards. Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation\nof Federal Information Systems" for C&A work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security\nCategorization of Federal Information and Information Systems," to determine a system impact level, as well as associated NIST\ndocuments used as guidance for completing risk assessments and security plans.\n\n5a. Has the Agency developed and documented an adequate policy for establishing a C&A process that follows the NIST\nframework?\n     Yes\n5b. Is the Agency currently managing and operating a C&A process in compliance with its policies?\n     Yes\n5c. For Systems reviewed, does the C&A process adequately provide:\n     5c(1). Appropriate risk categories\n             Yes\n     5c(2). Adequate risk assessments\n             No\n     5c(3). Selection of appropriate controls\n             Yes\n     5c(4). Adequate testing of controls\n             No\n     5c(5). Regular monitoring of system risks and the adequacy of controls\n             Yes\n5d. For systems reviewed, is the Authorizing Official presented with complete and reliable C&A information to facilitate an\ninformed system Authorization to Operate decision based on risks and controls implemented?\n     No\n              Comments:      Based on the systems selected for review, information security documentation was not complete nor accurate in order\n                             for an authorizing official to make an informed decision to authorize a system for operation.\n\n\nQuestion 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n                                                                                                                                           Page 11 of 15\n2009 Annual FISMA Report - Environmental Protection Agency\n\x0cProvide a qualitative assessment of the Agency\'s process, as discussed in the SAOP section, for protecting privacy-related information,\nincluding adherence to existing policy, guidance and standards. Provide explanatory information in the area provided.\n\n6a. Has the Agency developed and documented adequate policies that comply with OMB guidance in M-07-16, M-06-15, and\nM-06-16 for safeguarding privacy-related information?\n     Yes\n6b. Is the Agency currently managing and operating a privacy program with appropriate controls in compliance with its policies?\n     Yes\n6c. Has the Agency developed and documented an adequate policy for PIAs?\n     Yes\n6d. Has the Agency fully implemented the policy and is the Agency currently managing and operating a process for performing\nadequate PIAs?\n     Yes\n\nQuestion 7: Configuration Management\n\n7a. Is there an Agency wide security configuration policy?\n     Yes\n\n7a(1). For each OS/platform/system for which your Agency has a configuration policy, please indicate the status of implementation for\nthat policy.\n     OS/Platform/System                                    Implementation Status\n     Microsoft Windows 2000                                Policy fully implemented\n                                                           What tools and techniques is your Agency using for monitoring compliance?\n                                                                    Tool/Technique Name                   Tool Category\n                                                                    Symantec RMS, Bindview, Security      Network Monitoring Software\n                                                                    Configuration Management Tool\n                                                                    Lumension Patchlink                   Patch Scanners\n\n\n\n\n    2009 Annual FISMA Report - Environmental Protection Agency                                                                        Page 12 of 15\n\x0cOS/Platform/System                                Implementation Status\nRedhat Enterprise Linux 4                         Policy fully implemented\n                                                  What tools and techniques is your Agency using for monitoring compliance?\n                                                             Tool/Technique Name                  Tool Category\n                                                             Unix Security Checklist, Tripwire,   Network Monitoring Software\n                                                             Enterprise Security Manager,\n                                                             Bindview, NOS Admin, Symantec\n                                                             Control Compliance Suite\nIBM AIX 5                                         Policy fully implemented\n                                                  What tools and techniques is your Agency using for monitoring compliance?\n                                                             Tool/Technique Name                  Tool Category\n                                                             Afick, Symantec Control              Network Monitoring Software\n                                                             Compliance Suite Product\nMicrosoft Windows XP                              Policy fully implemented\n                                                  What tools and techniques is your Agency using for monitoring compliance?\n                                                             Tool/Technique Name                  Tool Category\n                                                             Symantec RMS, Bindview,Security      Network Monitoring Software\n                                                             Configuration Management Tool\n                                                             Lumension Patchlink                  Patch Scanners\nSun Solaris 9                                     Policy fully implemented\n                                                  What tools and techniques is your Agency using for monitoring compliance?\n                                                             Tool/Technique Name                  Tool Category\n                                                             Unix Security Checklist, Tripwire,   Network Monitoring Software\n                                                             Bindview, NOS Admin Basic\n                                                             Security Module\n                                                             C2 Auditing                          Log Analysis Software\n                                                             Enterprise Security Manager          Vulnerability Scanners\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                 Page 13 of 15\n\x0c    OS/Platform/System                                  Implementation Status\n    Sun Solaris 10                                      Policy fully implemented\n                                                        What tools and techniques is your Agency using for monitoring compliance?\n                                                                 Tool/Technique Name                  Tool Category\n                                                                 Unix Security Checklist, Tripwire,   Network Monitoring Software\n                                                                 Bindview, NOS Admin Basic\n                                                                 Security Module\n                                                                 C2 Auditing                          Log Analysis Software\n                                                                 Enterprise Security Manager          Vulnerability Scanners\n\n\n\n7b. Indicate the status of the implementation of Federal Desktop Core Configuration (FDCC) at your Agency:\n    7b(1). Agency has documented deviations from FDCC standard configuration.\n\n            Yes\n\n    7b(2). New Fedebral Acquisition Regulation 2008-004 language, which modified "Part 39-Acquisition of Information Technology,"\n    is included in all contracts related to common security settings.\n            Yes\n\nQuestion 8: Incident Reporting\n\n8a. How often does the Agency comply with documented policies and procedures for identifying and reporting incidents internally?\n\n    90 % to 100 %\n\n8b. How often does the Agency comply with documented policies and procedures for timely reporting of incidents to US-CERT?\n    90 % to 100 %\n\n8c. How often does the Agency follow documented policies and procedures for reporting to law enforcement?\n    90 % to 100 %\n\n\n\n 2009 Annual FISMA Report - Environmental Protection Agency                                                                        Page 14 of 15\n\x0cQuestion 9: Security Awareness Training\nProvide an assessment of whether the Agency has provided IT security awareness training to all users with log-in privileges, including\ncontractors. Also provide an assessment of whether the Agency has provided appropriate training to employees with significant IT\nsecurity responsibilities.\n\n9a. Has the Agency developed and documented an adequate policy for identifying all general users, contractors, and system\nowners/employees who have log-in privileges, and providing them with suitable IT security awareness training?\n     Yes\n9b. Report the following for your Agency:\n     9b(1). Total number of people with log-in privileges to Agency systems.\n              22,325\n     9b(2). Number of people with log-in privileges to Agency systems that received information security awareness training during the\n     past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness and\n     Training Program."\n              22,281        (100 %)\n     9b(3). Total number of employees with significant information security responsibilities.\n             507\n     9b(4). Number of employees with significant security responsibilities that received specialized training, as described in NIST\n     Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model."\n\n             491           (97 %)\n\nQuestion 10: Peer-to-Peer File Sharing\n\n10. Does the Agency explain policies regarding the use of peer-to-peer file sharing in IT security awareness training, ethics training,\nor any other Agency-wide training?\n     Yes\n\n\n\n\n2009 Annual FISMA Report - Environmental Protection Agency                                                                                Page 15 of 15\n\x0c                                                                                   Appendix A\n\n        Summary of Significant Fiscal Year 2009\n                Security Control Audits\nDuring Fiscal Year 2009, the U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) Office of\nInspector General (OIG) initiated the following audits of EPA\xe2\x80\x99s information technology security\nprogram and information systems. The following synopsizes key findings.\n\n\n1. \t Improved Security Planning Needed for the Customer Technology Solutions\n    (CTS) Project, Report No. 10-P-0028, November 16, 2009\n\n  In general, EPA needs to (1) direct the CTS contractor to develop and implement a\n  vulnerability testing and remediation process for CTS equipment, (2) issue a memorandum to\n  Agency Senior Information Officials requiring their program office to conduct vulnerability\n  testing of CTS equipment until a formal vulnerability testing and management process with\n  CTS has been established, (3) require the CTS contractor to remediate identified\n  vulnerabilities in a timely manner and inform the respective Senior Information Official when\n  they complete the corrective action, and (4) ensure all key actions outlined in the conditional\n  CTS authorization to operate are completed by the defined milestone dates.\n\n2. Project Delays Prevent EPA from Implementing an Agency-wide Information\n   Security Vulnerability Management Program, Report No. 09-P-0240,\n   September 21, 2009\n\n   EPA needs to (1) create plans of action and milestones for unimplemented recommendations,\n   (2) update the Management Audit Tracking System to show the status of each implemented\n   audit recommendation, (3) provide EPA program and regional offices with an alternative\n   solution for vulnerability management, (4) establish a workgroup to solicit input on training\n   needs and facilitate rolling out the Agency-wide vulnerability management program, and\n   (5) issue an updated memorandum discussing guidance and requirements.\n\n   EPA concurred with the recommendations and subsequently implemented corrective actions\n   to adequately address the report recommendations.\n\n3. ECHO Data Quality Audit \xe2\x80\x93 Phase I Results: The Integrated Compliance\n   Information System Needs Security Controls to Protect Significant\n   Non-Compliance Data, Report No. 09-P-0226, August 31, 2009\n\n   EPA needs to implement data security features to limit the end users\xe2\x80\x99 ability to change data\n   field information. EPA plans to explore additional options to restrict manual override of data\n   field information.\n\x0c4. EPA Should Delay Deploying Its New Acquisition System until Testing Is\n   Completed, Report No. 09-P-0197, July 20, 2009\n\n   EPA needs to (1) identify and document all system requirements; (2) update, review, and\n   implement formal testing policies and procedures; (3) test all system requirements; (4) update\n   the project schedule to communicate the current status of and future project activities; and\n   (5) develop and implement oversight procedures to ensure system development activities and\n   future projects adhere to all requirements.\n\n   EPA concurred with the findings and will delay deployment until the next fiscal year.\n\n5. Steps Taken But More Work Needed to Strengthen Governance, Increase\n   Utilization, and Improve Security Planning for the Exchange Network, Report\n   No. 09-P-0184, June 30, 2009\n\n   In general, EPA needs to (1) submit an updated correction action plan for unimplemented\n   recommendations, (2) recertify and reaccredit the Central Data Exchange, (3) update the\n   Central Data Exchange security plan and develop the contingency plan in accordance with\n   federal guidance, and (4) conduct a formal, independent risk assessment for the Central Data\n   Exchange.\n\n6. Lack of Project Plan Resulted in Transition and Contractor Performance\n   Problems for the Institutional Controls Tracking System, Report No. 09-P-0128,\n   March 25, 2009\n\n   In general, EPA needs to (1) document procedures for overseeing development activities as\n   prescribed by Agency guidance, and (2) conduct and document a review of system\n   documentation to ensure the document is current.\n\n   EPA concurred with findings and recommendations and provided a complete corrective\n   action plan to address the report\xe2\x80\x99s recommendations.\n\n7. \t Review of the Quality of Self-Reported Security Information in EPA\xe2\x80\x99s\n     Automated Security Self-Evaluation and Remediation Tracking (ASSERT)\n     System, Assignment No. 2008-0003\n\n   The primary objective of this assignment is to determine whether EPA has implemented\n   effective management control processes for maintaining the quality of the data in EPA\xe2\x80\x99s\n   ASSERT system. The OIG plans to issue a final report by December 2009.\n\x0cAs part of the Fiscal Year 2009 Federal Information Security Management Act\naudit, the following series of network vulnerability reports were issued to\nEPA\xe2\x80\x99s offices to address high-risk vulnerabilities:\n\n-\t Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Great Lakes National\n   Program Office, Report No. 09-P-0185, June 30, 2009\n-\t Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s National Computer\n   Center, Report No. 09-P-0186, June 30, 2009\n-\t Results of Technical Network Vulnerability Assessment: Region 8, Report No.\n   09-P-0187, June 30, 2009\n-\t Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Potomac Yard\n   Buildings, Report No. 09-P-0188, June 30, 2009\n-\t Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s 1310 L Street Building,\n   Report No. 09-P-0189, June 30, 2009\n-\t Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Research Triangle Park\n   Finance Center, Report No. 09-P-0227, August 31, 2009\n\nEPA officials developed plans of action and milestones to remediate the network\nvulnerabilities.\n\n\nAs part of the Fiscal Year 2008 Federal Information Security Management Act\naudit, the following series of network vulnerability reports were issued to\nEPA\xe2\x80\x99s offices to address high- and medium-risk vulnerabilities:\n\n-    Results of Technical Network Vulnerability Assessment: EPA Headquarters, Report No.\n     09-P-0097, February 23, 2009\n-\t   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Research Triangle Park\n     Campus, Report No. 09-P-0055, December 9, 2008\n-\t   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Las Vegas Finance\n     Center, Report No. 09-P-0054, December 9, 2008\n-\t   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Radiation and Indoor\n     Environments National Laboratory, Report No. 09-P-0053, December 9, 2008\n-\t   Results of Technical Network Vulnerability Assessment: Region 9, Report No.\n     09-P-0052, December 9, 2008\n\nEPA officials developed plans of action and milestones to remediate the network\nvulnerabilities.\n\x0c                                                                              Appendix B\n\n                                    Distribution\n\nOffice of the Administrator\nActing Assistant Administrator for Environmental Information and Chief Information Officer\nActing Director, Office of Technology Operations and Planning, Office of Environmental Information\nSenior Agency Information Security Officer, Office of Environmental Information\nActing Director, Technology and Information Security Staff, Office of Environmental Information\nGeneral Counsel\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nDeputy Inspector General\n\x0c'